Cyber Liability. AlaHA Annual Meeting 2013

Transcription

1 Cyber Liability AlaHA Annual Meeting 2013

2 Disclaimer We are not providing legal advise. This Presentation is a broad overview of health care cyber loss exposures, the process in the event of loss and coverages available. We can provide recommendations regarding your operation only after reviewing the exposures in your facility and your appetite for potential loss.

3 What Is Cyber Liability It is liability and other expenses due to the unauthorized disclosure of personally identifiable information of others, including electronic data breach as well as paper files. When applicable it includes HIPAA and HITECH requirements.

4 Examples of Litigation South Shore Hospital was fined $750,000 by Massachusetts Attorney General when some unencrypted backup records were lost in shipping, exposing 800,000 patients PMI and financial records. West Virginia University Medical Corporation was forced to pay $2,300,000 in punitive damages when an employee took three women s mental health records home and discussed them with locals. Emory Hospital was served with a class action lawsuit alleging $500,000,000 in damages for losing 10 data disks containing sensitive personal data of over 315,000 patients.

5 Litigation The Sutter Health Foundation A class action suit seeking $1,000 for each of the affected 4.3 million patients was filed against the Foundation after a laptop containing PMI was stolen from their hospital. UCLA Healthcare System had to defend itself in a case that alleged up to $16 million in damages following a data breach. The incident occurred when a doctor brought a hard drive home and subsequently had it stolen during a break in, exposing 16,288 patients personal information.

6 More Litigation Sutter Health lost 943,000 patients confidential information when a thief broke a window and stole a computer. Sutter failed to notify the affected individuals within the time allotted by state law prompting a law suit which seeks to give each member $1,000. Stanford University Hospital and Clinics faced a $20,000,000 class action lawsuit after their third party billing vendor posted a spreadsheet of over 2,000 patients PMI on a commercially available website. Charleston Area Medical Center faced a class action lawsuit following a third party data management firm accidentally posted their patients information on a publically viewable website. Despite having paid for credit monitoring services and credit freezes for the 3,655 affected individuals as well as hiring a risk management group to access their practices, the plaintiffs moved forward with the lawsuit.

7 Incidents Lexington Clinic suffered an overnight burglary as well as a subsequent data breach when the thieves stole a laptop containing PMI of many of their patients. As a result, Lexington Clinic sent letters to the 1,018 people who they believed were affected. Parkland Memorial Hospital had to pay for credit monitoring services and notifications for 1,311 of their patients after a Parkland employee stole their information in an attempt to begin his own health care practice. Staten Island University Hospital had a computer desktop stolen which contained 88,000 patients social security numbers as well as health insurance policy numbers. In response, they notified and purchased a year of credit monitoring services for those affected by the breach.

8 More Incidents Georgetown University Hospital sent notifications to 1,526 patients following the loss of a USB thumb drive which contained their personal medical information. Pitt County Memorial Hospital lost a USB drive that contained the PHI of approximately 1,700 patients. Pitt notified and provided a year of credit monitoring to the affected individuals. MidState Medical Center misplaced a hard drive which contained medical and personal information for an undisclosed amount of patients. As a result, MidState established a hotline, notified the affected individuals and offered them two years worth of credit monitoring services.

9 More Incidents Cincinnati Children s Hospital paid for credit monitoring services, notifications and a hotline following a data breach that was a result of a laptop being stolen from an employee s car. Adventist Health System employees accessed patient information not necessary to perform their duties in order to refer car accident victims to a lawyer, causing a breach in their information. As a result, Adventist notified the affected individuals, provided a year of credit monitoring services and fired the employees responsible for the breach.

10 What Happens if Data is Breached Discovery of the Event Event is theft, loss or unauthorized disclosure of Personally Identifiable Non Public Information or Third party Corporate Information that is in the care, custody or control of insured (hospital) or a third party for whom the (hospital)is legally liable. Evaluation of Event Investigation and Legal Review

11 After Data Breach Manage the Short Term Crisis Notification Credit Monitoring Public Relations Manage the Long Term Consequences Class Action lawsuits Regulatory Fines and Penalties Damage to Reputation Income Loss

12 Isn t This Covered by Non Cyber Policies It Is Possible but Very Unlikely CGL Policies Usually Do Not Cover Intangible Property Property Business Interruption Usually Requires Direct Physical Damage Crime Usually Applies to Tangible Property D&O Excludes Bodily Injury, Property Damage No Other Traditional Insurance Cover Notification Expense

13 You Get What You Pay For If You Are Lucky Insurer/Policy Form? A.M. Best Rating Expertise in Field? Breach response cost coverage? Breach response costs coverage includes notification of up to individuals? Credit monitoring offered to notified individuals? Coverage includes credit restoration service? Dedicated breach response costs limit that is in addition to third party liability aggregate limit? Forensic and legal expenses also in addition to policy aggregate limit (sublimit of $ )? Insurer has panel of service providers? Insured may select legal counsel from panel? Free risk management program included with coverage? Security and privacy liability coverage? Limit? Retention? Duty to defend?

14 Check List Coverage includes both non public personally identifiable information and confidential corporate information? Coverage extends to information in the possession of independent contractor? Coverage includes events and claims anywhere in the world? Coverage includes acts by rogue employees? Coverage includes failure to comply with own privacy policy? Coverage includes failure to administer an identity theft prevention program required by law or take necessary actions to prevent phishing/identity theft? Coverage for failure to timely disclose a security breach as required by law? No exclusion for failure to maintain security? Regulatory defense and penalties coverage? Fines and penalties covered where insurable by law? Coverage includes PCI fines and costs? Crisis management and public relations coverage? Coverage includes crisis management?

15 What If I Want to Know More Give Us a Call Mel Capell, CEO Wray Smith

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,

GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

The Art of Breach Management Beazley presentation master February 2008 A Brief Review of Data Breaches What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity

Miscellaneous Current Topics in Healthcare Professional Liability Josh Zirin, FCAS, MAAA Antitrust Notice The Casualty Actuarial Society is committed to adhering strictly to the letter and spirit of the

Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009

Cyber Risk With cyber invasions now a common place occurrence, insurance coverage isn t found in your liability policy. So many different types of computer invasions exist, but there is cyber risk insurance

Reducing Risk. Raising Expectations. CyberRisk and Professional Liability Are you exposed to CyberRisk? Like nearly every other business, you have likely capitalized on the advancements in technology today

TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

Cyber-insurance: Understanding Your Risks Cyber-insurance represents a complete paradigm shift. The assessment of real risks becomes a critical part of the analysis. This article will seek to provide some

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

Practical Cyber Law: Why the Standard of Care Requires Lawyers to Have a Basic Understanding of Cyber Insurance By Shawn Tuma & Katti Smith Data breaches have become far more common than most people realize.

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. September 22, 2015 Erica Ouellette Beazley Technology, Media & Business Services Alyson Newton, Executive

BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

September 2014 Greetings! I hope this edition of CIS News finds you enjoying the beginning of the fall season. The Coverys Insurance Services staff always appreciates this time of year when we can support

What would you do if your agency had a data breach? 80% of businesses fail to recover from a breach because they do not know this answer. Responding to a breach is a complicated process that requires the

Cyber Risk: Global Warning? by Cinzia Altomare, Gen Re Global Warning It is a matter of time before there is a major cyber attackon the global financial system and the public needs to invest heavily in

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services What we are NOT doing today Providing Legal Advice o Informational Purposes

Issue No. 2 THREAT LANDSCAPE Technological developments do not only enhance capabilities for legitimate business they are also tools that may be utilized by those with malicious intent. Cyber-criminals

Property NetProtect 360 SM and NetProtect Essential SM Which one is right for your client? Do your clients Use e-mail? Rely on networks, computers and electronic data to conduct business? Browse the Internet

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services What we are NOT doing today Providing Legal Advice o Informational Purposes

BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur

My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server Prepared for the American Health Lawyers Association s Fraud and Compliance Forum held October 6, 2014 John E. Kelly, Esq. Member Bass, Berry

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

Identity Theft Security and Compliance: Issues for Business The Facts Six Common Uses for Stolen Information Financial Criminal Medical DMV Social Security Terrorist The Facts A Chronology of Data Breaches

T H E R E A L C O S T O F A D ATA B R E A C H Hosted by AllClear ID www.allclearid.com/business WELCOME // QUICK NOTES Presentation is being recorded and will be available within 2-3 business days at www.allclearid.com/business

INSURANCE (A) GENERAL CONSIDERATIONS This document presents the minimum insurance requirements as set forth by the United States Trustee Program (USTP). A standing trustee must purchase property insurance

Beazley Group Beazley Breach Response A data breach isn t always a disaster Mishandling it is. A world of risk 932.7m Personal records breached in the U.S. since 2005 3 51% The proportion of breaches attributable